curator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly searches GitHub ("Task(subagent_type="ralph-researcher", prompt="Search GitHub for ${DOMAIN} repositories")" in Stage 1) and clones public repositories ("Clone and prepare repositories" in Ingest) and then extracts patterns to update procedural memory, so it ingests untrusted, user-generated web content that can influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly clones and ingests external GitHub repositories at runtime (e.g., https://github.com/{owner}/{repo} or git@github.com:{owner}/{repo}.git via the /curator quick --repo owner/repo and ingest/learn stages), and those fetched repo contents are injected into the learning/prompting pipeline so remote content can directly shape agent prompts/behavior.